Proper use of keyid in allow-transfer
MURTARI, JOHN
jm5903 at att.com
Thu Dec 7 12:41:24 UTC 2017
Folks,
Came across usage of a keyid as an address list in a allow-transfer option on a older server site. Didn't really know that was legal. It seemed an easier way to allow zone transfers without constantly updating a list of IP addresses on a master server. The only trouble - it didn't seem to actually work?
We've been trying it in a older lab server running a Solaris 9.9.9-S4 version of bind. The master has:
options {
....
allow-transfer {key bongo; 192.168.1.1};
};
key "bongo" {
algorithm hmac-md5;
secret "BippityBop";
};
The slave server defines the same key and is located at 192.168.1.1. When we use the above on the master, transfers for any zone work fine. If we remove the IP address and try a transfer we get 'denied'. What are we missing? Thought we might have to associate the keyid with zones on the slave, but couldn't find any options for that??? We don't use TSIG on these servers.
Thanks for the help!
John
----------------
John Murtari - jm5903 at att.com<mailto:jm5903 at att.com>
Ciberspring
office: 315-944-0998
cell: 315-430-2702
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20171207/f6269166/attachment.html>
More information about the bind-users
mailing list